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KgMARKS 



Claims 1-5 ftnd 7-36 arc pending, with claimR 1J2» 17, 24, and 36 being independent. 
Claims 1 , 3, 12, 1 7, and 36 have bwn amended. No new mailer has h^j\ iddcd. 
Rcxionsidcration ai^d allowance ofthc above-referenced applioalion arcrespcolfijily rcqucsied. 

M otion Under 35 U.S.C. § 1 12: 

Claims 1, 4, 7, 10, 12, 1 18, 20, 21, and 24-27 siand rejected nnder 35 U.S.C. § 1 12, 
second iwragraph^ as allegedly being indefinite, Tlij.s comeniion is respectfully traversed. 

Cluims 1 , 4, 7, and 12 arc objected to for allegedly filing to provide sufficient antecedent 
basis for ihe phrase, nhe storage area protection-'. However, thest- claims arc defmite as written 
brc^jiisc "the storage iiren protection'* corresponds to protected nixjii". Noncthclc^w, in order in 
expedite prosceuii^m, claims 1 und J 2 have been amended to make the anlocedenl basis for "the 
storage area protection'- mon: elrar. TIius, witlidrawal ofihfe objcclion I? respectfully requested. 

Claims \A2, 20, and 2 1 arc objected \o for allegedly failing to provide sufficienl 
antecedent basis for Die phrase, ''the fomicrly pmtrctcd storage area". However, these claims are 
dcnaiie aij written because "Ihe fomicrly protected stomgc area** is clearly the result of removing 
*Hhc .storage area protection". Nonetheless, in order to expedite prosecution, claims LI?., .ind 17 
have been amended to make the antecedem basis for "the formerly protected storage area'' mnrr: 
clear. Thui», withdr?iw;-ii of this objection is ret^pectfully requested. 

Claim 1 0 is objected to for allegedly failing to provide sunScicni anteecdont basis for. 
'Ihe information". Antecedent basis for this fr.nurc can be found in line 10 of claim 1 : 
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"P«>viding in^nmrn derived ftom Ihc fonnoriy p,.tcr.cd .«>rofic «oa to a pn^ccssing 
system detection tool- (en,piu,.is added). Thus, wilbdrawaJ of ti,is objection is respectfully 
rcq»ii:5lcd. 

Claim 12 is objected lo for allc(5crflyftni„Riop,x)vidcsafficic:nt antecedent basis for, 
•the iirfonnafW. Amccedent b«,is for th{. fcaiu« cun be found in line 10 ofclaim 12: 
-providingiofeuLon derived fron, the fon^criy protccd .tora.c area to a dat, pn^ccsing 
system doU«.,io« u,ai: ' (c:nipl«..is added). TT,U3. ^vuhdr.waI of this ob^ion ia i,),pcctru.Iy 

Claims 24-27 ore objcc.cd .o for allegedly failing to p„,vidc .ulUdem antecedent b..i3 
for. "(h. dcrccu-on .ool" Aniccedcm h,.is for rhis foalur. can be found in line 2 orchiim 24: 
defa proccs..in, system de.^ciio,Usal:" (cmphasi.s added). Thus, wiftdra^d ofhisobjecUon is 
respccllliliy requested 

Claim 25 i. ol,jcxred lo for allegedly failing to p,ovide sufReionI antecoJcni b.si,s f<,r. 
"the system". Antecedent bam for rhis featUK= can he ibunci in line 1 ofcioim 24: "A,«jn 
comprising:" (en.ph««. added). Thus, withdrawal of this objection is n:.poetft,Ilv requested. 

aaim 27 is obiocted to for allcffrJly f«iHng to provide sufficient antecedent basis for, 
•nhe detection agent". AlUeccdent ba,i.s for this featwe can be found in lim: I ofclaim 27: "The 
system of cbin, 24. further compriain, operable to send inlW.ti„n ,o the 

cicection tool, the detection agent being operable to load che Icernel-mode soAwarc moCflc in t.c 
data processing aysten, and cammuniea.e with the loaded ka,iel^ode soHwan. module n„d with 
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the daccUon tool." (enipha»ls odded). Uvk wiOjdrawal of litis objection is respectfully 
requested. 

Claim 1 5 is objected lo for allegedly not being clear with respect lo the phrase, "the 
packet dtmctunj allows for only a ono-to^Jne connection." However, this phrtise is clear by it 
plain meaning. Claim 1 ?. recites, "sending the infonnation in packets having a packer stnicturc 
useable over both the peripheral device inicrJace medium and the network comjiiunications 
medium." Hias, claim 1 5 is clearly spcrifying that a connection formed between the sender airf 
recipient of the pockets is limited to a onc-lo-onc connocdoiu as opposed lo a. onc-lo-many 
connection. This terminology is clear to one skilled in ihc art of pnckct based communications. 
Moreover, as described in the specification, " TIk packet slmcturc enn nl low a strictly one-to-one 
conjieclion to be spttcilicd to increase communicatiorts security (i.e.. the server agent may be 
limited lo communicating with only one client at a time)." (See Specification at ^."ifl.) Thu\ 
claim 15 definite as written, and wiihdmwal of this objection is respectfully reqtieslcd. 

Claim 18 is objected to for allegedly mt being clear with respect lo the phrase, "without 
altering the suiragc device." Tlw OITice asks whcdicr this means "v^ithotil alierinfi content of 
storage d«vlcc or witliout alterinfi conflguraUon of storage devirc (i.e., protection area)?" (.NVe 
Office Action .-w p^-gc 4.) However, by its plain meaning, ihc phra.s6 "without, altering the 
Btorage device" clearly means both; neither the content of Utc storage device nor ihr 
configuration of the storage device ;.rr. altered when the kernel-mode .toflwaix: module is run and 
dynamically loaded accorditig lo ihc subject matter of claim 1 8. Thus, claint 1 8 definite as 
wriiien, and wittidniwal oftliis objection is ix^pcctfuliy raiuesicd.. 
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For ell of Ihc above reasons, «vitlidniwal of the rrjeaions under 35 U.S.C. ? n 2 is 
respecifully roqucated, 

Cl«im 1-16 and 18 stand rejected under 33 U.S.C J 01 as allc,cdly being directed to 
non-slatutory subject matter. J]m contcnliun k respectfully traversed. 

The Office has exp,t:«ed concern «,>gaftJing *c dcfiniiion of «a miwhinc readable 
medium" m t J 8. To alicvi.tc .his conccn,, ^ 1 8 has been amended to cbrify that "a m«ch,n« 
r^ablc n,«,iam". in the present application, doe., no. Include .ofiworc and progran. 
prod«r,(..no.embodicdmaeon,put..rrc.dable medium. In view «f. he clarifying amendment. 
wiilHlniwal of the rejection under 35 U..S.C. §1011. respecifully requested. 

Mectjon Under 3.^ 1 i .<{ f si m- 

Claims 1-2. 4-5. 7-8. and 17-20 «.and rejected under 35 U.S.C. § 102(b) b«sed „,^n 
aUc^Sed public i«c or sale of the invemion. This contention is rrspcetfitlly tmverscd. 

A declaration by Christopher Lynn Tycho Brown under 37 C.P.R. §U32 accompanies 
the present response. In view of the d«:W.tion. Applicants respectfully request that the 
rejection undttr35 U.S.C. if 102(1,), be withdrtwn. 

Claims 1 -5. 8-10. 17. and 20-21 stand n?ieclcd under 35 1./.S.C. § 102(b) as al!e£.Hly 
being anticipated by Stevens (U.S. 2002/01 33702 Al ). with A.s=.f (US 6,728.S30 Bl), Moo;. 
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{US 2004/0003 135 Al ). definition of Hardware Ataian Layer (HAL) fit>n) 
htlp://on.wikipedia.oro ;.„d Documcm Ihcn, M5DN library, nnd Dcbugginfi Tcrtninology 
included as supporting documents. This contcnlion is rcspcclfuliy fravoved. 

Stevens describes mcibod, far yranting access lo a prolcclcd arcn, 5uch as a hard disk 
<invt ofn ™mputcr. after the computer has been hooted, by introducing BIOS {B.Tsic 
Input/Outpul System) modules that may be accessed aHer the computer is in normal operation. 

eg., Stcvcas n. T!s 8-9, 1 9, 45^6. 48-49. and 53.) Furthermore, Stevens u^achcs that a 
calling process ca,i ,c^.css the protected area 27 by locating and using an interlace of thesv^^ 
finmvarq. (&« Stevens at ^ fii: emphasis added.) litis aystcm tlm.ware (i.e.. the BIOS) is 
DQLiflJiivaletit to a itemol mode soft%v«rc mod«lc. as suggested by the 0/r.cc. 

The present application make, ihis distinction dear: "The data pK)ccs.sii,g system 200 can 
be Ecn.T;Uiy divided into four iayers: haidwarc. fim^m, talntoda and uscrmocfc." iScc 
Specification at ^ 1 9: emphasis added; and FIG. 2.) •ll.c supporting document, p„,vidcd by the 
Wiice ftl.^o provide t^idcnce ofthc clear distinction bct,.cen fhe BIOS and the kernel mode of 
*e operating .ysicm that indtides a hardware abstraction layer. (See e.^., As«af at col. 5. lines 
1 0-25; and http://en.wikipcdi«.ortywifci/Open.tjng_SyBlem.) Moreover, t.he p««ent application 
.ho makes clear that the BIOS and .he operating system (OS) or. distinct con^ponents. (Sec 
Spccifiration at ^ 21 .) Thus, Stcvcn.s' refen:nce to an interface of the system tirmwnre i. not the 
same as use of a tcernei mode software module. a.s Miggested by the Office. 

independent dnim 1 now recites. "detcrmlDing whether a storage device, in a data 
processiHK system ninning an operating system, includes stor^c area protection, the operating 



PA6E1»32*RCVDATm(l67:S1:00PM [Eastern DayligMTiinel'SVRiUSPTO^FU^^ 



08/29/2008 16:55 FAX 1 858 678 5093 FISH AND RICHARDSON 0016/032 



Applicsint : rhriMtipliur Lyiin Tydio Brown AiU)rnc> 's Dockci No.; I666C-0020aJ 

Serial No. : IOr7I3.853 

Filed : No veniber 14,2003 

Pttijc : l5of2B 



system including a hardwarii absiraciion layer: removing ihe stongc area prolcclion of the 
storinp-r Hrrvirr. from within ihc nmning operating system and yrj( |^ ^>ui rebooting the data 
nmcc s^ing -systcm^ thereby creating a formerly protected storage area; and providing information 
derived from the formerly protected storage area to a data processing svstem detection tool; 
wherein said determ inini^ and said rcmovinH occur in a ke rnel mode of the data proces sinj^ 
svstem ;^ (EmphiiJiLs added.) As dcscrllicd in a detailed example in rlkr spedfieaiion: 

The OS 220 can include a kernel ihat handles memory manngcmcnt, process 
and U\sk management, and disk managemenL 

To assist liiw cnforcTcmcnt s\\\6 infomiation security personnel in detemiininjj 
ifa user has utilized the protected area 212 to hide contrabiind or malwarc, a 
kcmcl-modc software module 2?jO can be used to provide access to the proiectcd 
area 212 and enable tlvc imaging and analysis of the protected htcr ?.\7 fmm 
wit!)in the iiinning operating system 220 and wifliout rebooting the data 
processing 3ystcm 200. 

llic kemeUniode software module 230 can be a device driver (c^i.^ a 
Windows Driver Model (WDM) driver). The software module 230 can be loaded 
into memory by a detection application 240, and the softwartt module 230 can 
provide a detection tool with access to the protected area 212. | . . . | 

Thus, the software module 230 and the detection application 240 can provide 
direci and live access to the proteciod storage iin^a 212 in order to image or 
analyze the protected storage area 213 in support ofsome dclcclion function. The 
snflwHn: modiile 230 and the detection application 240 enable direct access to the 
protected storage area live from the high level operating sy.^iem without the need 
to reboot, h cfTcct, the kcmcl-modc soflware module 230 operates as a broker 
for ibii deicxiian application 240, providing direct hnrr^w^^rc nr.rrr!;?; r.o i.he wscr- 
modc application despite I2ic hardware abstraction layer 222. Moreover, the 
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removal of ihe protected stoi^gc an^ 212 (i.e,, the removal of the prolccUon) 
be done vohtilcly so the proieciion can bo restored by tho next sys»«in reboot, 
leaving the storage Uevicc 210 unaltoccd, 

{See Specification atfls !9. 21, 22, iind 23; and Fig. 2.) 

Thus, tho presently ehimri subject mauer enables direct and live access to the protected 

storjge area of a previously unknown cnmptiter. without requiring a reboot. In staric contrast, ibc 

relevant BJOS modules in Stevens are stored in thr protected area 27 befbrc booting of the 

computer. (See <?.^., Sievctis at Tj 49.) \n other words, the presently claimed subject matter 

enables Ih,, Allowing order of events to occur: (1 ) computer is booted up; (2) computer h 

compromised and is still running; <3) detection componont(s) an; lo«,lcd on the computer; and 

(4) storage area protection rrmoved and information derived from the formerly protected 

storage area is obtained. In contrast .Stevens must first load the relevant BIOS modules lt«ft.rc 

die computer is booted up. and before the rompuier is compromised, in order to v/ork. 

For all of the above reasons, independent claim 1 should be In condition for allowance. 

Dcpcnilcnt claims 2-5, and should be palcnlablu based on the above arguments and the 

additional recitations tliey contain. For example, claim 10 recites, "uhrrdn the operations 

further comprise msmimJhmJimmm of the formerly protected storage .irea to derive Uie 

information." (Cmphasi:s added,) The Olllce contends that f 84 of Stevens describes this subject 

matter, stating, "Stevens teaches nccnvcry ofihe drive (paragraph 10084])." (See 001.-.^ Action 

»i page 0.) HowevcT. Stevens merely indir>,trs in this section that diagnostic and recovery 

appliciiiions placed in ihe PARTIES (Protected Area Run-Time Interface Extensions Services) 
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area can be u^ied to delcrmine whether a physical itetfect of the hard drive is tlic cause of a hoo« 
faiUin;: 

The prcscnf itivcnlion may be used for systrm diagnosis .-md recovery. A 
laffto percentage of hard drives returned to OEMs havetto physical defect. The 
usrr may have been inlbcted with a virus tlwl deleted 3 critical file, or is 
Kuffwing from a felled insUjlJ. These events can result in u drive returned to the 
system vendor. The PARTIES area provides a safe area to place di^c^nstic and 
recovery applications, In the event of a boot failure, the user can start the 
diagnosis and rccovco' scrvicrs. In the event of a technical support coll, a 
technician ronld ask the user to Initialo the system diagnostics. This capability 
will lead to fcwcrdisk drive returns. 

{See e.g.. Steven at ^ 84.) Nothing here suggesta tliat the di-icnnsis aiid recovciy services may 
also include an «pplieiuion to reconstr u ct a file s ystem of a formerly prulcctr^ .storage ama 10 
derive information that i.s .sent to a data processing system detection tool. Thus, claim 1 0 .<th<iuld 
be patentable for at least tliis additional nsisaii. 

While independent claim 17 has a dilTercnl scope than independent claim 1, claim 17 
should nonetheless bo patentable for similar rea-soas. In particular, Stevens docs not describe, 
"^•'^2fi-2L!aaED£!daifi^^ in a computing systmi ninninjj an operating system; 

and iadi!iayL!yhn,rtiufi the computing svslm. using the kcmeUmode snflw.^ ry mrvlntP to perform 
operations fimmaLUlihtaMiaiH^ die operations comprising dctenninine whnhcr a 

storaRC device in die eotnpulinj; .system includes storage area protection, and rcvcrsibly 
removing the storage area protection, thereby creating a fomierly protected storage ivca." 
(Emphasis added.) Thus, independent claim 17 should also he in condition for allowance. 
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DepcfKlcnt claims 20-21 .should be pajcmabfe based on tl>c above arguments and the atldit ionat 
rocitatioiiB Ihey contain. 

Claims 24. 26, 27, 2% and 32-35 stwd rrjcctcd under 33 U.S.C. § 102(e) as allegedly 
bring aniicipaicd by Adelslein ot a! (US 2004/(/260733 AI), with Shoji ci al. (US 2004/0216141 
Ai) and Moore (US 2004/0003135 Al ) included ag cvidenlia! rcfcretnrcs. This conicmion is 
respectfully travcrArd. 

independent claim 24 recites, "a daia proccsssing system dcleciion tool; and a kernel- 
mode software module opcwblc to pmviMr fhc dcleciion tool with access lo a Drotocled nr pa of a 
storage device In a dma processing sy:5lcm w]it>.ti tbc kcnjcl-mode software module is loaded into 
Uic dacaproceij^jlng system/^ (Fmphasis added.) 1 he Office misTukcnly equates Adclstein's 
reference to -darii not normally visible via the operatine system" wlh n host prelected area of a 
disk, 6Vr>r Office Action at page 10.) However, the cited portion of Adelstcin nuikcs dear that 
this is not the case: 

In one embodiment, forfin^ic device 12 may acquire an 'Mmagc" ofone or 
mnrc disks anached to target computing device 16 remotely via ihrt 
communication link between forensic device 12 and larget computing device 16. 
The ima^c I.n .m exact copy ("biisiream copy" or "miiror'') of all data on the disks, 
including data not nonnally viaible via the operating system of largci computing 
device 16. h\ addition, the image may also include an exact copy of memory 
(RAM) or mrmory swap gpiicc of target conjpulini^ device 16. The ima^^.c may be 
accjuircd by uKin.tt software on target computing; ilrvicc 16 that performs a direct 
■lg>v,-*CY.oLQgadp£lj^^ device 16 . then 

communicating the image lo forensic device 12 via SMB or the like. TargEt 
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romputing device 1 6 continues to operate while forenssic device 12 acquires Uk 
disk imafte, memory imago, or both. 

i:.^^, AiWsfcirt atTi 65; emphasise l\Mq6:) Those skilled in Ihc arl would understand from 

this descriplion dial Adclstciii Is referring to unallocated d isic space, not a pro iected area of tiw 

disk, 

Tlius, Adelstein does not describe ihc subject matter of indcpendenl claim 24, and claim 
24 should be in condition for aHowance. Dependent claims 26, 27, 29, and 32-35 sliould be 
patentable based on the above argumtjnU and the additional recitations ihcy contain. 

Rejections U n der 35 IIS.C. $ 103: 

Claim 7 stAnds rt:ji-ctcd Liritkr 35 U.S.C, § 103(a) as allegedly bcini> unpatentable over 
Stevviiis as applied to claims 1 -5, iuirl further in view of Rothman et a! (US 2004y0158695 Al). 
Claim 7 depends from independent claim I, which is in condilinn fnr allowance for the reasons 
discussed above. Thus, claim 7 should be patentable b«5cd at least on the arguments prcsftniftd 
abov£!. 

Claims Ifi-19 st;mrf rejected under 35 U.S.C. § 103(a) as allegedly being unpatemablc 
over Stevens as applied to claim 1 7. ;ind further in view of Adelstein ei al. This contention is 

rospectfiilly traversed. 

Claims 1 S-l 9 depend from independent claim 1 7, which is in condition for allowance for 
the reasons discussed above. Thus, claims 18-19 should be patentable based iit taiM on fhe 
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arguments presented abov€. In atldition, the proposed motivation to combine Adclstcin with 
Stevens cnnnoi. be supponcd. 

The Office siiggesU f hiit it would have been obvious to combine Adclslcm with Stevens 
because, "(paragraph [004R |, Aldcrstcin teaches by installing software on target device changes 
doUi stored in target device)/' (See OOicc Actinn ;it pnge t3.) Jnitially, il should be noted that 
this stalcment by the Office of the teachings of AldcniLcin appears to r.onrmHirf tiic Office's own 
use of Aldersicin since the Office is alleging Uiat Aldci^cin leacJies llic claimed, detection 
agent being tangibly embodied in the machine-readable med ium to run and dynamically load the 
kcmcl-mndf^ snftwarc module witho ut at terine ihe siorage device ." (Hinphasis added.) In fact, 
Ihc cited poninn pf Aldcrslcin is actually referring to prioritizing the order of acquiiiition 
operations: '^n accordance with one aspect of ihe invention, forensic device 12 may pcrfonu the 
acquisition operations in a particular order to ivducc tho impact the o|>crat5ons hnvK rm nthcx dnta 
stored within target computing device 1 6, thereby mointaining the inicgriLy of the data.'' (See 
L\g., Adelstein at ^ 48.) Thus, this portion of Adelstein docs not provide a motivation to modify 
Strvcns to use :i kernel-mode software module as claimed, 

MorftovcT, Stevens actually leaches away from the prof'koscd combination ijince Stevens' 
foetJS is on the use of BIOS modules, rather ihitn a kernel-mode software module. Stevens 
emphasizes tlie importance of the BIOS (system firmware) m?iini<!iTi!nj^ control of the host 
protected aj-ca, thereby maintaining the security of the protected (PARTTRS) area 27. dSee e.g., 
Stevens at i| 85.) 'Ilnis. Stevens actually teaches away from the proposed combination. 
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For itil of the. above reasons, a prima facie case of obviousness has nol been established 
for cither of claims 18 or 19. 

Cfaims 1, and 36 stawl n-jrclcci under 35 U.S.C. § 103(a) as allegedly Iwnfi 
unpaicmable over Adclfilcin el ttl. and Stevens, with Ajisaf (US 6J28,S30 Bl), Moon; (US 
2004/0003135 Al ), dcfinilioo oFHurdwatX) Abslractioii Layer (HAL) fmm 
hitp://ai.wikipedla.organd Document from MSDN Library, and Debugging Tcmiinobgy 
included as supporting documcnls. This conlenlion is rcspwtfully Iravoreed, 

For the reasons riisrussol above, neither Stevens nor Adclsldn describe the subject 
naalter of indcpcndan claim I , Fnrihmnnrc, a proper motivation lo combine Slovens with 
Adolslein has not been established. The proposed motivation to combine is -no increase tlic 
speed of the system." {See Ollice Action at page 16.) However, no ftyphnatJon is provided as to 
why or how combining Stevens with AdcJstein wowid improve ihc speed oflhc system. 
Moreover, for ihe reasons addressed above in connection witli claims IS and 19. Stevens actually 
loaches away from the pipposcd combination with Adelstcin. Thus, a prima facie case of 
obviousness has not been cstihlishcd hr independent claim 1, and this claim should bo in 
condition forallowmice. 

Dependent claims 9-1 1 should be patcntaWc at Irast based on their dqjendcnce from 
claim I . For example, claim 10 should be patcntabic for at least the additional reason thai 
Stevens docs not describe reconstructing a file system ofa formerly protecttsd storage an^a in 
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derive ia£bnnaiioa that is sent to a data processing system dertprlinji tool as discussed above. 
Thus, claim 10 should he patentable for at least this additional rciisoii. 

In addilion. claim ! 1 recites, "wherein providing the information derived from the 
fomicrly prolccled storage area further comprises selccljng the lran3port medium from a Kroup 
including aj><iripbP/Ai.<)^Vi?^Atter£^^ and a nclworic c ommiinicatioa<; medium " 

(Emphasis added.) llie Oiricc conteJKii? tliai ^[s 43. 44, 53, and 54 of Adelsuiin U!aches this 
subject matter, however, these ponions of Adelsiein merely dcscrihc di fferent way for 
OTnTiectiTij; the mohile rnnmsic device 12 with ihc client device 14 and the target device 16, in 
Vtirioiis CTTibpdi mentis. 

As ilhistraicd in FIG, K client device 14, forensic device 12 And target 
compuiing device 16 are coupled \o a common neuvork, such as rustomr-r 
network IS, In this manner^ customer network 18 acts as a communication link 
connecting forcn.«jic doHcc 1 2 with target computing device 16. Customer 
network 18 may, for example, be a local area network for a specific siieofan 
enterprise, or may span eco^;raphicai)y distributed sitcfl within the enterprise, f . . ,] 

FIG. 2 is a block diagram illustrating another cxcmpi^try rnmputcr forensic 
system 20 for retrieval and analysis of computer evidence in accordance with this 
disclosure, in this illustrated embodiment, computer forensic system 20 conforms 
substantially to computer forensic system 10 of FJC. 1, but user 15 conncrts to 
forensic device 12 via a public network 22^ such aji; the imemct. |... J 

FIO. 3 is a block Hiogram illustrating another cxcmplaiy computer forensic 
system 23 for retrieval and analysis of computer cvidetKC in accordance with this 
di$!cIo»ure, ]n this illustrated embodiment, computer forensic system 23 conforms 
substantially to computer foraisic system iO of FIG. 1 , but nscr 1 5 roimrrts 
directly to Ibrensic device 12 instead of conncctinj; to forensic device 12 via a 
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nclvvork. In the example of FIO. 3, client device 14 may be configured lo access 
forensic device 1 2 via Hired comrjuinicarion link, such as a phone line, a 
universal soriaJ bus (USB), a wireless port, a serial port, h parallel port, an 
infrarrri (TR> link or any other type of dirocl connection. 

iStt; ct.g.. Adelsicin at <ls 43, 53, and 54.) 

Adelstein is clearly describing thre« alternative embodiments here: a first in which each 
of Uie devices 12, 14, and 1 6 connect a customer network 18, a second in which a public 
network 22 is Imerposed betwtvn iHc client device 14 and tlic customer network IS, and a thiH 
in which the client device 14 connects directly lo the forensic device 12. Regardless of whether 
the; IVircn-^ic device 12, the client device 14, or the comblnaiion of the two is eqimtcd with die 
presently cleimed detection tool, Adelstein never suggests th;ii. an active selection ciin be made 
(after the system has been installed) between a jKinphcral device interiTaoe me<fium and » network 
commtinicalions medium for sending inform^ilinn lo a data pmcessing system detection tool. In 
all three embodiments shown in FtGs. J -3 of Adclsteiiv information sent lo the forensic device: 
12 from the larger device 16 sent over the customer network 1 8. Moreover, infonnntion 
exchange between the forensic dovice 12 and the client device 14 is accomplished using a direct 
cnmmunication link or a network, in alternative emboiiiments . Their, is no sv(££C5tion in 
Adelstein that a selection can be made between *i direct communication link and a network m 
one single embodiment. Thus, claim 1 1 should br patentable for at leaat this additional reason. 

Independent claim 12 recites, jimong other features, "removing the storage area 
protection of the sioragc device from within the rvimiing operating system and without rebooting 
the datn processing .system, thereby creating a formerly protected storage area; and providing 
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infomiotion derived from the fonncfly prolecicd storage area to adainprnccssing system 
detection tool; wheruin providing the Information derived from the fpmacrly protected storage 
area comprises scixling ilic infonyiation over a tntnsixjrt medium to the ciatft processing system 
detection tool; wherein proxncUngthc information derived from lUc formerly protected storage 
area furihcr compnsrs ftfrUy.ttm r the irflnsnort medium from a ^roupAneMitigjij)cripb[;rral device 
inLerfacc medium and a n etwork com mtmlcations medium; and wherein sendinjj die infomiaiton 
over the transport medium comprises s cndintf the infomiation in packets having d packet 
structure us eable over both tlie peripheral device irucrfacr mr^ium anti the ne twork 
com munication s nicdluiTi/* (Emphasis added.) 

VoT the reasons discussed above in conjicclion with ctuim 1 Adei$tcin does not describe 
selecting a transport medium from a firoup including & peripheral device interface medium ai\d a 
network communications medium. Furthemiore^ Adclslein docs not describe sending the 
infomiation in packets havins a packet strtJCture useable over both the pcriphcrnl device interface 
medium and the network communications medium. In fact, this ldti:r feature has not been 
adcquntely addressed by the OfQee. 

The cited portion of Adelstein mentions aquiring Ethernet statistics and the use of various 
access meiliods, such as Windows Management I rtstn» mentation (WMl), Server Message Block 
<SMB), and File Transfer Protocol (VT?U but does not describe use of a packet stntcuire useable 
over both a peripheral device interface medium and a network communications medium. 
Stevens does not cure these defccte of Adelstein. Thus, independent claim 1 2 should be in 
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condition for aUowancc for ai leasi ihcse reasons. OepBndent claims I? and 14 should 
patentable based on ihc above arsnmcnts nml the additional rxx;itat!ons they contain. 

Independeri t:l:iim 36 nnw rrcites. **mcan5 for directly accessing a protected area of a 
storage device m a finUx prncowing system live from a higli level operating system wilhout a 
rrsbofit; and means for delivering informaiion derive<i from the protected storage area lo a data 
praccsfiiny; system detection too); wheruin ihe means for delivering comprises rniih!-<ra n.5t)Qii 
m<^n^ for delivering Ibe information, including means for sdcctivdv cnmrnu nicating over a 
nelv^ork eommunica iions mediitm or a pcriphcTTit drvirx inlcrfaco mcdiuni to support remole 
iinaging and analysis of the dircclly acccssrd pmicctcd area." (Hmphasis added.) Thus, 
independent claim 36 should he patentable tor at least reasons esimilar to those discussed above 
with re;spect lo claim 12. 

Claims 15 and 16 5;tand rejected under 35 U.S.C. § 103(a) as allegedly being uitpatcoUiblc 
over AdeJstein et aL and Stevens as applied lo claims I and 9-14. and further in view of Kinsller 
(US 2003/01 07987 A 1 ) and Joy et al. (US 2O02/DW3982 A I ). This contention is respectfully 
tmversed. 

Claims 1 S mi 16 each depend from the allowable bmie claim 12. Neilher Kinstlcr nor 
Joy cure ihc dcfccta of Slovens and AdeUtoin. Thus, for at lesisi the reasons discussed above in 
connection with claim 1 2, claims 15 and 16 should be in condition for allowance. 

Moreover, the Office cites to H 5 of Kinsrler as allegedly tciiching ihc presently claimed, 
"wlierein the packet siruciure allows for only a onc-lci-rm<: cdruwtion/^ However, Kinstler'a 
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description of a oncvto-rme conncclion here relates lo network topology, not packet stnicturc. 
Wofcover, ihc rcjcr.»ioi» based on the proposed combinaiion of Kiiisttcr witli Stevens ond 
AdcLstcin represents improper hindsight rccoiwiructloii. since thft Office has merely used the 
present claim as a template for piecing logether unconiioclcd references, and ttie proCfered 
motivation to combine Cfor ftstcr daui transfer^ has m> relation to tlie claimed subject matter, 
which is a security feature of the communicalioits, not a data transfer accelerator. As dcscrihwi 
in the specification,, "The pw.kct structure can allow a strictly one-to-one cotinection to be 
spcciJled to incr«wr wwimunications security (i.e., the server agent mny he limited to 
TOinmimicating with only one client at a time)." {Sec Spei:!rir,itinn at ^36.) Thus, claim 1 5 
should he patetJtable for at least this additional reason. 

Claims 25 and 3 1 stand rejecied under 35 D.S.C. § 103(a) as allegedly being unpatcntaHft 
over Adelsicin ct al. as appliwl to claim 24. and further in view ofNlST (National Insiitutc of 
Standards and Technology) Harf Disk Write Block Tool Specification. This oontcntion is 

respcctAilly traversed. 

Claims 25 and 31 ouch depend from allowable hasc claim 24. NIST fails to cure tho 
deficiencies of Adelslcin. Thus, for ai least the reasons iliscos.scd above in connection with 
claim 24, claims 25 and 3 1 should be patentable. 
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The Office Action Summary page iiwJictUus thai claims 22. 23. 2R. and 30 are rejected, 
but these claims arc not addressed in the body or the Office Action. These claims dep«od from 
allowable hnsr claims for the reasons discussed above and arc thiis also potcnlaWe for at least 
this reason. In addition, lo the extent thai claims 22, ?.^. 2R. and 30 siand i«ioct.ed based on 
reasoning similar to what has been addressed above, these claims should be patentable ba.^cd on 
similar rcasonin}? to lliai prcsrolf-d nbove. 

Con clusion 

It is bclir-vcd that all of iho pcndinft claims have been addressed. However, the absonce 
of a reply lo a specific issue or comment docs not signify agreement with or concession of that 
iMue or commcnL Because ihe argumcnw made above may not be cxhaostive, there may b« 
reasons for patentability of any or :dl pending claims (or other claims) thai have no. been 
cxpreaacd. Finally, noilung in this paper should be constmed as an imcnt to ronwlc any issue 
with regard to any claim, except as specifically stated in this paper, and the amendment of any 
claim does not n>-.«ssarily sijjni fy concession of unpateniabilily of tho claim prior to its 
amendment. 

It is respectfully su.uRcstcd for all of these rca-sons. tliat tho current rejections arc 
overcome, that none of the cilcd an teaches or suggests the fontiires which arc claimed, and 
therefore thai all of these claims shonl.i he in condition for altov^.wcc. A formal aoiWx. of 
allowance is thus rcspectftiily requested. 
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